The in-band nature of voice over Internet direct end-to-end communication is often cited as a source of security weakness. For example a user becomes more vulnerable to hacking, masquerading and denial of service attacks that originate on the Internet. The out-of-band nature of standard telephony on the other hand ensures that use of standard phones and cell phones with a phone number does not suffer from these security weaknesses. However standard telephony is expensive, especially for international phone calls involving cell phones and roaming charges. For example, a person may travel to a foreign country, and attempt to use a credit card, only to find that her own credit card company has blocked the transaction for her own protection; and since she may not have call roaming when in the foreign country because of the high cost involved, the credit card company's attempts to reach her by phone to authenticate a transaction will fail. The end result is that a business transaction involving an authentication attempt by phone was not able to be fulfilled.
It is also worth pointing out the signaling delays that are prevalent in standard PSTN telephony, from the perspective of a computer process initiating a voice call. It can sometimes take 10 to 15 seconds for a call to appear as a ring tone, which alerts the person being called. In contrast, in-band voice over Internet calling typically has a less than 1 second delay between initiation of a call and the ring tone event.
Because of the above security, cost and speed of transaction issues, “single click” or “single touch” or “single command” business transactions which involve 3 factors of authentication simultaneously are not found.
In many authentication systems, security questions are posed to test knowledge of one's personal secrets. These questions may be displayed on a screen to be read, or they may be spoken using text converted to speech. In either case, such systems are subject to eavesdropping where a would-be attacker can break the system by first discovering the security questions being asked. Hence, while security questions are desirable, the possibility of eavesdropping or learning what these questions are presents problems for the security of an authentication system.
Another problem is repudiation in securing business transactions, including payment transactions. In this context, repudiation is the refusal of an individual to acknowledge that certain commitments (financial or otherwise) have been accrued upon a transaction. This problem is exacerbated in verbal transactions. Some complex biometric types of authentication can be repudiated because it is difficult for normal human beings to verify them without the aid of experts or a computer. The argument of forgery has been successfully used in some cases of repudiating a previously executed business transaction. For instance, the practice of hand-written signatures on documents like checks is susceptible to forgery. A would-be thief can learn how to copy the victim's signature quite easily.
Recently some electronic signing systems have appeared that depend on routing a document for signature to a correct email address of the intended signer. These have the further problem that email can be hijacked or diverted by a would be attacker; once the attacker receives the email with the document for signing, this person is allowed to sign the document. A much more secure method for signatures is needed. Also, the person who signed such a document could always at a later date claim that someone else intercepted the email and signed the document without his knowledge. A more secure method of signature, which cannot be repudiated is desirable.